Crypto Bug Bounty Payouts: Inside the $100 Million Economy
Crypto's bug bounty economy has paid whitehats over $100 million, topped by a $10 million Wormhole payout. Ghosted researchers and sham bounty claims show the system still has cracks.
On February 24, 2022, a pseudonymous security researcher going by satya0x sent Wormhole a message about its core bridge contract on Ethereum. An old proxy upgrade had left part of the contract uninitialized, meaning anyone who noticed could seize control of the bridge’s guardian set and, eventually, everything it held. Wormhole fixed it the same day. Three weeks earlier, the same protocol had lost $325 million in ETH to a completely different bug, one nobody caught in time. This time nothing was stolen, and Wormhole paid satya0x $10 million, still the largest single bug bounty ever paid in crypto as of mid-2026, according to The Block’s reporting at the time.
That is the version of the story crypto likes to tell about itself: attackers and defenders racing for the same bug, and this time the good guys won, got paid, and moved on. The fuller picture is messier. The same industry that hands out eight-figure rewards for a single disclosure also has researchers publishing public “wall of shame” repositories after being ghosted for months, exchanges accusing security firms of extortion over a bounty negotiation, and federal prosecutors treating the phrase “bug bounty” as a label criminals hide behind rather than a defense. This is where crypto’s bug bounty economy actually stands in mid-2026: how big it has gotten, who runs it, what it has paid out, and where it keeps breaking down.
What a Bug Bounty Actually Is, and Why Crypto Rewrote the Rules
A bug bounty is a standing offer: find a security flaw, report it privately through an approved channel, and get paid instead of exploiting it or selling it to someone who will. The concept predates crypto by decades. Netscape ran an early version in 1995, and Google, Facebook and Microsoft normalized structured programs between 2010 and 2012, typically paying anywhere from a few hundred dollars to low six figures depending on severity, with a company employee deciding what counts as critical.
Crypto changed the economics of that exchange. In most software, a critical vulnerability lets an attacker steal data, hijack an account, or cause disruption, all of which take time to monetize and carry real risk of getting caught. In a smart contract, a critical vulnerability is very often a direct, immediate, and frequently irreversible path to whatever is sitting in the contract at that moment. As Immunefi founder and CEO Mitchell Amador put it in an interview with Cryptonews, “Crypto flips the rules. In Web2, attackers need motivation. In crypto, the money is the motivation. If you launch a smart contract with $100 million in it, you just put a price tag on every single bug.”
That single fact, that the exploit and the payday are the same transaction, is why crypto bounty ceilings dwarf their Web2 counterparts. A maximum reward in the low six figures makes sense for a company where the worst-case bug leads to a data breach and a lawsuit. It makes far less sense for a lending protocol holding nine figures in user deposits, where the realistic alternative to a six-figure bounty is a nine-figure theft. So crypto programs price bounties as a fraction of funds at risk rather than a fixed schedule, and the top of the market now runs into eight figures for a single report.
The Platforms Running Web3’s Bounty Economy
A handful of platforms broker most of this activity. Immunefi, launched in December 2020, is by far the largest: as of this writing it lists 192 active bounty programs, and its own five-year research, covering January 2021 through February 2026 across 593 programs studied, puts cumulative payouts for confirmed critical-severity bugs alone at $107.3 million, with the single Wormhole payout accounting for close to a tenth of that total, according to Immunefi’s own research team.
HackerOne, the generalist platform better known for enterprise and government programs, has a smaller but fast-growing crypto vertical: valid crypto and blockchain vulnerability reports on the platform jumped 147% year over year even as overall valid reports across all industries rose 12%, and HackerOne paid out $81 million across its full platform in the past year, up 13% year over year.
Sherlock built its bounty product around a stake-to-submit model: researchers post $250 in USDC with every report, refunded if the bug is valid, which the platform credits for a 52% hit rate on submissions it classifies as impactful. Sherlock is also the platform behind the largest bounty currently posted anywhere in tech: a $16 million program launched in March 2026 by the stablecoin protocol Usual, backed in part by Nexus Mutual, that eclipsed the previous records held by Uniswap v4 ($15.5 million) and LayerZero ($15 million), both hosted on Immunefi, according to Sherlock’s own writeup of the market.
Hats Finance takes a more permissionless approach: bounty vaults live entirely on-chain, projects pre-fund the reward pool themselves, and there is no KYC requirement to submit a report. HackenProof, smaller and generally linked to Hacken’s audit business, has paid out more than $26 million across nine years of operation. The table below compares how the main venues are set up.
| Platform | Model | Notable data point |
|---|---|---|
| Immunefi | Curated listings, no researcher stake required | 192 active programs; $107.3M paid for confirmed critical bugs since 2021 |
| HackerOne | Generalist platform with a growing web3 vertical | $81M paid platform-wide in the past year; crypto reports up 147% YoY |
| Sherlock | Stake-to-submit ($250 USDC per report), expert triage | Hosts the $16M Usual bounty, the largest active program in tech |
| Hats Finance | Fully on-chain, permissionless vaults, no KYC | Projects self-fund reward vaults directly on-chain |
| HackenProof | Curated, linked to Hacken’s audit business | Over $26M paid out across nine years |
The Record Books: Crypto’s Largest Bug Bounty Payouts
Size the ceilings against what has actually been paid and a pattern shows up: the biggest posted maximums keep climbing, but the biggest confirmed check is still the one Wormhole wrote in 2022. Usual’s $16 million, Uniswap v4’s $15.5 million and LayerZero’s $15 million are all program ceilings, the most a researcher could theoretically collect for the single worst possible bug, and none of them has been paid out at that level. The table below separates what protocols say they will pay from what has actually changed hands.
| Protocol | Researcher | Year | Amount | Status |
|---|---|---|---|---|
| Usual (via Sherlock) | N/A | 2026 | $16,000,000 | Maximum offered, not yet paid |
| Uniswap v4 (via Immunefi) | N/A | 2023 to present | $15,500,000 | Maximum offered, not yet paid |
| LayerZero (via Immunefi) | N/A | 2023 to present | $15,000,000 | Maximum offered, not yet paid |
| Wormhole | satya0x | 2022 | $10,000,000 | Paid in full |
| Aurora | pwning.eth | 2022 | $6,000,000 | Paid in full |
| Polygon | Leon Spacewalker | 2021 | $2,200,000 | Paid in full |
| Polygon | Gerhard Wagner | 2021 | $2,000,000 | Paid in full |
The two Polygon payouts, four months apart in 2021, remain a useful before-and-after: Wagner’s report on the Plasma Bridge covered a bug that put roughly $850 million at risk, and Spacewalker’s December disclosure covered a separate flaw that put an estimated $18 billion at risk across the network, according to contemporaneous reporting from CSO Online. Aurora’s $6 million payout to a researcher known as pwning.eth covered an inflation bug in its EVM environment that could have let an attacker mint enough ETH to drain roughly 70,000 ETH, worth around $210 million at the time, according to The Block’s coverage. That researcher later became a founding member of Immunefi’s invite-only All Stars cohort for its most consistent bug hunters.
How a $325 Million Hack Led to a $10 Million Bounty
The Wormhole story is really two separate incidents, and conflating them misses the point. On February 2, 2022, an attacker exploited a signature verification flaw in Wormhole’s Solana-to-Ethereum bridge and minted 120,000 ETH out of thin air, worth roughly $325 million at the time. Wormhole’s team tried the standard crisis playbook: they messaged the attacker on-chain, offering $10 million and a no-questions-asked whitehat agreement if the funds came back. The attacker never responded. Within hours, Jump Crypto, Wormhole’s principal backer, replenished the bridge with 120,000 ETH from its own balance sheet to keep the protocol solvent, a decision that arguably only a well-capitalized market maker could have made.
That $10 million offer to the attacker was never collected. The $10 million that actually got paid went to someone else entirely, three weeks later, for an unrelated bug. On February 24, satya0x reported that an old proxy upgrade had left part of Wormhole’s core bridge contract on Ethereum uninitialized, meaning anyone who spotted it first could pass in their own guardian set and take control of contract upgrades going forward. Wormhole verified and patched it the same day the report came in, before anyone could act on it, and paid out its full critical-tier maximum.
Read together, the two events make an uncomfortable but honest case for why bounty programs exist: the same protocol, weeks apart, saw one bug get exploited for $325 million because no whitehat found it first, and another get disclosed safely because the incentive to report it now clearly outweighed the incentive to sit on it. The bounty program did not prevent the first hack. It plausibly prevented the second one from becoming a repeat of the first.
Does the Math Work? What Bounties Cost Versus What Hacks Cost
Immunefi’s own numbers make the return-on-investment argument bluntly. Across its five-year dataset, the median critical bounty paid out was $20,000, and the mean was $114,355, skewed upward by outliers like Wormhole. Over the same window, the median crypto hack in 2024 and 2025 cost protocols $2.2 million, and the average, again skewed by mega-hacks, was $24.5 million. Programs running five years or longer found at least one confirmed critical bug 93.9% of the time; that rate climbs from 61.4% after a program’s first year to 92.9% after four years, meaning most bounty programs that stick around long enough eventually catch something that would otherwise have been catastrophic.
HackerOne makes a similar case from its side of the market, estimating that every dollar a company spends on its bug bounty program corresponds to roughly $15 in avoided losses, and crediting structured disclosure with mitigating an estimated $3 billion in losses across its platform in the first half of 2025 alone. Neither figure is independently audited, and both come from platforms with an obvious commercial interest in the answer, but the underlying logic is hard to dispute: a five or six-figure bounty is cheap insurance against a seven or eight-figure loss, provided the bug actually gets found and reported before someone less scrupulous finds it first.
Bounties are not a substitute for the audits protocols commission before launch, they are what catches what audits miss. Multiple independent audits still leave gaps, which is why the biggest programs increasingly run pre-launch audit contests and post-launch bounties in parallel rather than treating either as sufficient on its own. HOGE Wire’s review of the major audit firms covers how that pre-launch layer works and where it still falls short.
Safe Harbor: Legal Cover for Whitehats Who Step Into a Live Exploit
Everything described so far assumes a researcher finds a bug before anyone exploits it. A separate, harder problem is what to do when an exploit is already underway and a whitehat spots it in real time. Racing an attacker to drain a vulnerable contract first, so the funds can be returned rather than stolen, is technically also unauthorized access to a smart contract, and doing it with no advance agreement in place leaves the rescuer legally exposed even though their intent was to help.
The Security Alliance, a nonprofit better known as SEAL and closely associated with pseudonymous researcher samczsun, Paradigm’s head of security, built a standing answer to that problem: the Whitehat Safe Harbor Agreement, launched in 2024. Protocols adopt the agreement in advance, which pre-authorizes any whitehat to intervene during an active exploit, take control of at-risk funds for temporary safekeeping, and return them under agreed terms, rather than negotiating legal cover in the middle of a crisis. According to SEAL’s own framework documentation, the standard terms include:
- Rescued funds must be returned within 72 hours of the intervention
- The whitehat is entitled to a reward equal to 10% of the amount recovered
- That reward is capped at $1 million regardless of how much was rescued
- The protocol must have adopted the agreement in advance for its protections to apply
Uniswap, Balancer and dozens of other protocols covering more than $68 billion in combined value have adopted the agreement. Two earlier, messier episodes show why protocols wanted a standing framework instead of improvising each time. In August 2021, an attacker drained more than $600 million from Poly Network, then, unprompted, began returning it. Poly Network publicly begged the attacker, whom it nicknamed “Mr. White Hat,” to finish the job, offering a $500,000 bounty and even a job as the protocol’s chief security advisor. The hacker initially refused the money, then relented after the last funds were returned, asking that the reward go toward the security community instead, per CNBC’s reporting at the time. In March 2023, after a flash-loan attacker drained close to $200 million from Euler Finance, Euler issued a 24-hour ultimatum demanding 90% of the funds back or a $1 million reward would go toward identifying them; the attacker, negotiating on-chain under the name “Jacob,” returned the large majority of what was recoverable over the following weeks, and Euler canceled the reward once the funds were back, as Fortune detailed in its account of the negotiation. Both worked out, eventually, through improvisation. Safe Harbor exists so the next one does not have to.
Recovery Bounties: The Bybit Playbook for a $1.5 Billion Heist
Not every large reward is for finding a bug. On February 21, 2025, Bybit lost roughly $1.4 to $1.5 billion in ETH in what is still the largest single crypto theft on record, after attackers compromised the signing interface its multisig cold wallet relied on. The funds moved during a routine transfer that Bybit’s signers approved believing they were looking at the real transaction; what they actually approved handed control of the wallet to the attacker. It is a custody failure as much as a smart contract bug, and it is a useful reminder that who holds the keys, and how they verify what they are signing, matters as much as any single line of contract code, a theme HOGE Wire’s comparison of crypto custody models covers in more depth. Multiple blockchain security firms and researchers have attributed the theft to North Korea’s Lazarus Group.
Bybit’s response was a different category of bounty altogether: not “find our bug” but “help us find our money.” The exchange posted a $140 million recovery pool, structured so that anyone who traced a portion of the stolen funds earned 5% of that amount, and anyone, typically an exchange or platform, who actually froze it earned another 5%, according to TechCrunch’s coverage of the offer. Months later, the results were modest relative to the scale of the theft: roughly $2.3 million had been paid out to 13 bounty hunters, more than $73 million had been frozen, and only around $30 million had actually been recovered, while over $1 billion had already moved through mixers and cross-chain hops well beyond practical reach.
Immunefi’s response to the same event was structural rather than financial: weeks after the hack, it launched All Stars, an invite-only tier for its most consistent top researchers, explicitly citing the Bybit theft and the broader rise in on-chain losses as the reason for building a more dedicated bench of talent rather than relying purely on open, one-off submissions.
When a Bounty Claim Becomes an Extortion Charge
The word “bounty” does no legal work on its own. What separates a legitimate whitehat disclosure from criminal extortion is whether the researcher reported the issue and let the protocol decide the reward, or used the vulnerability itself as leverage to dictate terms. Three recent cases show how blurry that line gets in practice, and how differently it can end.
In June 2024, the security firm CertiK discovered a bug in Kraken’s deposit system that let an account artificially inflate its balance. Rather than simply reporting it, CertiK’s researchers tested it live, minting close to $3 million out of Kraken’s own treasury over several days, and then declined to return the funds until Kraken told them how much the bug could have cost had it gone undisclosed. Kraken, which had run a bug bounty program for a decade, called it exactly what it looked like: Chief Security Officer Nick Percoco wrote publicly that the researchers “demanded a call with their business development team… and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!,” as CoinDesk reported at the time. Kraken, one of the exchanges HOGE Wire covers in its comparison of major centralized platforms, eventually recovered the funds from CertiK, minus transaction fees, but no bounty was paid.
A federal indictment unsealed in February 2025 shows how far the same dynamic can go. Prosecutors charged Canadian national Andean Medjedovic with wire fraud, computer hacking, attempted extortion and money laundering over roughly $65 million drained from the KyberSwap and Indexed Finance protocols between 2021 and 2023. According to the Department of Justice, Medjedovic later proposed a “settlement” demanding full control of the KyberSwap protocol and its DAO in exchange for returning half of what he had taken, a demand prosecutors characterized as attempted extortion rather than negotiation. He remains a fugitive. A separate case brought by the Southern District of New York accused a Maryland man of draining roughly $1.4 million from a project called Uranium and then negotiating a “sham bug bounty” that let him keep $386,000 of it in exchange for returning the rest and staying quiet, a deal prosecutors said was designed specifically to look like whitehat behavior after the fact.
The distinction prosecutors and exchanges keep drawing is procedural: report first and let the protocol set the reward, or take the money first and use it as a bargaining chip. The first path, even when a project lowballs the payout, stays on the right side of the law. The second increasingly does not, no matter what the person doing it calls it.
Ghosted: Why Whitehats Do Not Always Get Paid
The opposite failure mode gets far less attention: researchers who follow every rule and still do not get paid. In March 2026, a researcher known as al_f4lc0n disclosed a subaccount validation flaw in Injective that would have let an attacker force other users’ accounts to buy a worthless token at an inflated price, putting an estimated $500 million at risk. Injective fixed the bug through a governance vote, then, according to the researcher, went silent for three months before eventually offering $50,000, one tenth of the $500,000 maximum listed on its own Immunefi page, which the researcher says still had not been paid by the time the dispute became public. Unable to get a response through normal channels, the researcher published a GitHub repository documenting the timeline under the name “injective-wall-of-shame,” a public-pressure tactic that has become increasingly common when private escalation fails, as Protos reported.
This is not a new complaint. Halborn co-founder Steven Walbroehl, himself a former bounty hunter, has described a familiar pattern of projects downplaying a disclosure’s severity or claiming they had already found the bug internally, specifically to justify paying less or nothing at all, telling Cointelegraph that a researcher who finds a multimillion-dollar exploit but is offered a token $5,000 reward has little practical incentive to keep playing by the rules next time.
A different kind of breakdown hit the open-source side of the industry in 2026. HackerOne’s Internet Bug Bounty program, which funds disclosures against widely used open-source infrastructure, saw the share of valid submissions collapse from roughly 15% to under 5% as automated, AI-generated reports flooded the queue, plausible-looking but rarely exploitable, overwhelming the volunteer maintainers who have to triage each one. The program paused new submissions entirely on March 27, 2026, and by May had cut its remaining reward tiers by more than 75%, dropping the top critical-severity payout from $9,250 to $2,257, according to The Register. It is a different failure than a project simply refusing to pay, but the effect on researcher trust is similar: if the terms under which a bug was reported can be rewritten after the fact, structured disclosure starts to look like a worse deal than it advertises.
Stake-to-Submit and On-Chain Vaults: The Model Keeps Evolving
Some of that friction predates the 2026 AI-slop wave and is simply structural: low-quality or duplicate reports have always been the biggest operational cost for any bounty program, human-generated or not. Sherlock’s answer, requiring a small refundable USDC stake with every submission, is designed to filter out speculative or copy-pasted reports before a human triager ever has to look at them. Hats Finance takes the opposite approach to the same underlying problem, keeping everything, including the reward vaults themselves, on-chain and permissionless, betting that transparency about exactly what funds are available deters low-effort submissions better than a financial gate does.
Infrastructure-layer protocols have adopted the standard bounty model too, not just application-layer DeFi. SSV Network, whose distributed validator technology underpins a large share of Ethereum restaking activity, runs an active Immunefi program with a $250,000 maximum, one of several infrastructure projects that treat a bounty program as a permanent line item rather than a launch-week formality. HOGE Wire’s explainer on SSV’s restaking architecture covers what that infrastructure actually secures. Immunefi’s own All Stars program, built around researchers like Aurora-payout earner pwning.eth and top earner LonelySloth, who has generated $3.6 million in career earnings on the platform, formalizes the same idea from the researcher side: a small group of repeat, trusted hunters increasingly gets first access to the highest-value private engagements, rather than every report competing in an open queue.
Crypto Bounties Versus Big Tech: A Different Order of Magnitude
Big Tech effectively invented the modern bug bounty and still runs the largest programs by volume, but crypto has pulled well ahead at the very top end. Google paid out $17.1 million to security researchers in 2025, a 40% jump from roughly $12 million in 2024, spread across 747 individually paid researchers, according to SecurityWeek. Apple has awarded more than $35 million to over 800 researchers since its public Security Bounty program launched in 2020, and doubled its own top-tier award to $2 million in October 2025, as 9to5Mac reported.
Those are healthy, growing programs by any historical standard, and collectively they still touch far more researchers than any single crypto platform. But none of them has ever paid an individual researcher anywhere close to what Wormhole paid satya0x in one transaction, let alone the $15 million to $16 million ceilings Uniswap, LayerZero and Usual currently advertise. The gap is not a sign that crypto values security more; it is a direct function of what is actually at stake. A critical bug in a consumer tech product is bounded by what the company decides to pay for it. A critical bug in a $500 million DeFi vault is bounded by the $500 million sitting in the vault, and pricing follows accordingly.
| Program | Recent payout total | Notable detail |
|---|---|---|
| $17.1M (2025) | Up 40% year over year; 747 researchers paid | |
| Apple | $35M+ since 2020 | Over 800 researchers; top award doubled to $2M in Oct. 2025 |
| Immunefi (crypto) | $107.3M lifetime, critical bugs only | Single largest payout: $10M (Wormhole, 2022) |
| HackerOne (all industries) | $81M in the past year | Crypto and blockchain reports up 147% YoY |
2025 to 2026 By the Numbers: Losses Down, Bounties Up
Zoom out to the full loss ledger and bounty payouts start to look small, which is arguably the point. Immunefi’s tally puts total crypto losses in 2025 at $3.4 billion, but that headline figure is heavily skewed by operational security failures rather than smart contract bugs: the Bybit theft alone accounts for $1.5 billion of it, or 44% of the year’s total, according to The Block’s coverage of the report. Strip out Bybit and other large wallet and key compromises, and the loss attributable specifically to smart contract and blockchain code drops to roughly $790 million for the year, a 0.66% loss rate against value at risk that Immunefi describes as the strongest year on record for code-level security. Across 2024 and 2025 combined, 191 publicly disclosed incidents drained $4.67 billion, and the five-year total since 2021 sits at $11.9 billion across 425 hacks.
Set against that, $107.3 million in critical bounty payouts over roughly the same stretch is well under 1% of what was actually stolen, which is not a knock on bounty programs so much as a reminder of what they are and are not. They are not compensation, and they do not undo a hack that already happened. Tokens that get hacked rarely recover afterward regardless of any bounty paid out later: Immunefi’s research found a median decline of 61% in a hacked project’s token price over the following six months, and 84% of hacked tokens never regain their pre-hack price at all. Bounties are underpriced insurance against the bug happening in the first place, not a cleanup tool, and the data suggests that when protocols actually fund and honor them, the insurance mostly works.
The Regulatory Backdrop: DOJ, SEC and the Whitehat Gray Zone
There is no federal statute in the United States that defines a bug bounty or grants whitehat hackers immunity for accessing a system without permission, even briefly and with good intentions. SEAL’s Safe Harbor Agreement and every platform’s individual terms of service are private contracts, not law; they protect a researcher only to the extent a specific protocol adopted the terms in advance and the researcher’s conduct actually matched them. That gap is exactly what makes the Medjedovic and Uranium cases prosecutable despite the presence of a nominal “bounty” or “settlement” framing somewhere in the story.
The broader enforcement posture around crypto has shifted since the change in SEC leadership, with the agency’s Crypto Task Force generally moving away from regulation-by-enforcement against exchanges and token issuers, a shift HOGE Wire has tracked in detail in its review of SEC crypto enforcement. That softer posture, though, is specific to registration and securities-law questions. Hacking, fraud and extortion remain squarely enforcement priorities regardless of which administration is in office; the Justice Department’s own 2025 guidance to prosecutors explicitly named fraud and hacking as areas where digital-asset cases should continue, even as it pulled back from cases that amounted to imposing securities registration requirements through litigation. A protocol declining to pay a bounty is, practically speaking, a contract or reputational dispute a researcher has to fight in public or through arbitration. A researcher who takes funds first and negotiates after is looking at the same criminal exposure they would face outside crypto entirely.
One more mundane but real compliance layer sits underneath all of this: bounty income is taxable income. In the United States, a researcher paid through a platform like Immunefi or HackerOne typically receives a 1099-NEC and owes self-employment tax on top of ordinary income tax, the same as any other freelance work, regardless of whether the payout arrived in stablecoins, ETH, or a wire transfer.
What This Means Going Forward
The aggregate numbers make a genuinely strong case for the model: bounty programs that run long enough tend to catch the bug that would have been catastrophic, the median cost of catching it is a rounding error next to the median cost of missing it, and a framework for handling live exploits legally now exists in a form protocols can adopt before disaster rather than negotiate during it. That case only holds, though, for researchers who actually get paid what was promised, on the timeline it was promised.
The system currently runs almost entirely on voluntary good faith. No regulator requires a protocol to honor its own posted bounty ceiling, no court reliably enforces one either, and the recourse available to a stiffed researcher, mostly public pressure through leaderboards, wall-of-shame repositories and reporters willing to write the story, only works if enough people are watching. As ceilings keep climbing toward eight figures and platforms keep experimenting with stakes, vaults and invite-only researcher tiers to manage the load, the harder problem is no longer attracting talent to look for bugs. It is convincing that talent the payout will actually arrive when they find one.
Frequently Asked Questions
What is the biggest bug bounty ever paid in crypto?
The largest confirmed bug bounty payout in crypto history is $10 million, paid by Wormhole to a researcher known as satya0x in 2022 for privately disclosing a critical flaw in the protocol’s core bridge contract on Ethereum. Several newer programs, including Usual’s $16 million bounty on Sherlock and Uniswap v4’s $15.5 million bounty on Immunefi, now advertise higher maximum ceilings, but as of mid-2026 none of them has actually paid out at that level, so Wormhole’s payout remains the largest amount actually collected.
How do crypto bug bounty programs work?
A protocol lists a program on a platform such as Immunefi, HackerOne, Sherlock or Hats Finance, specifying which contracts are in scope and how much it will pay for each severity tier, from informational up to critical. A researcher who finds a qualifying bug submits it privately through the platform rather than exploiting it. The platform or the project’s own security team verifies the report, assigns a severity level, and issues payment, usually in stablecoins or the protocol’s native token, once the bug is confirmed and, in most cases, fixed.
Is bug bounty income taxable?
In the United States, yes. Bug bounty payments are generally treated as self-employment income, and researchers typically receive a 1099-NEC from the platform that paid them, then owe both ordinary income tax and self-employment tax on the amount, reported on Schedule C and Schedule SE. This applies regardless of whether the payout is made in fiat, stablecoins or another cryptocurrency; receiving payment in crypto can also trigger separate capital gains obligations if the tokens are later sold at a different price than their value on the day they were received.
What is the SEAL Whitehat Safe Harbor Agreement?
The Whitehat Safe Harbor Agreement is a legal framework from the Security Alliance (SEAL) that protocols can adopt in advance to pre-authorize whitehat hackers to intervene during an active, in-progress exploit, take control of at-risk funds for safekeeping, and return them without facing prosecution or civil claims from the protocol. Under its standard terms, rescued funds must be returned within 72 hours, and the whitehat is entitled to a reward equal to 10% of the amount recovered, capped at $1 million. It is distinct from a standard bug bounty, which covers vulnerabilities reported before they are exploited.
What happens if a company refuses to pay a promised bug bounty?
There is usually no fast legal remedy. A posted bounty is not automatically a binding legal offer in most jurisdictions, and pursuing a breach-of-contract claim over a five or six-figure reward is often not worth the cost of litigation for an individual researcher. In practice, unpaid or underpaid researchers rely on public pressure, posting the dispute on social media, leaderboards or dedicated repositories documenting the timeline, to push a project toward paying or to warn other researchers away from that program in the future. Some, like CertiK in its dispute with Kraken, have instead kept funds directly rather than waiting to be paid, which exchanges and prosecutors have characterized as extortion rather than legitimate recourse.
Written by the HOGE Wire security desk.